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Abstract 

In this paper we extend the algorithm for extraspecial groups in [12], and show that the hidden 
subgroup problem in nil-2 groups, that is in groups of nilpotency class at most 2, can be solved efficiently 
by a quantum procedure. The algorithm presented here has several additional features. It contains a 
powerful classical reduction for the hidden subgroup problem in nilpotent groups of constant nilpotency 
class to the specific case where the group is a p-group of exponent p and the subgroup is either trivial 
or cyclic. This reduction might also be useful for dealing with groups of higher nilpotency class. The 
quantum part of the algorithm uses well chosen group actions based on some automorphisms of nil-2 
groups. The right choice of the actions requires the solution of a system of quadratic and linear equations. 
The existence of a solution is guaranteed by the Chevalley- Warning theorem, and we prove that it can 
also be found efficiently. 
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1 Introduction 



Efficient solutions to some cases of tlie liidden subgroup problem (HSP), a paradigmatic group theoretical 
problem, constitute probably the most notable success of quantum computing. The problem consists in 
finding a subgroup in a finite group G hidden by some function which is constant on each coset of H 
and is distinct in different cosets. The hiding function can be accessed by an oracle, and in the overall 
complexity of an algorithm, a query counts as a single computational step. To be efhcient, an algorithm has 
to be polylogarithmic in the order of G. While classically not even query efficient algorithms are known for 
the HSP, it can be solved efficiently in abelian groups by a quantum algorithm. A detailed description of the 
so called standard algorithm can be found for example in [18j . The main quantum tool of this algorithm is 
Fourier sampling, based on the efhciently implementable Fourier transform in abelian groups. Factorization 
and discrete logarithm [51] are special cases of this solution. 

After the settling of the abelian case, substantial research was devoted to the HSP in some finite non- 
abelian groups. Beside being the natural generalization of the abelian case, the interest of this problem 
is enhanced by the fact, that important algorithmic problems, such as graph isomorphism, can be cast 
in this framework. The standard algorithm has been extended to some non-abelian groups by Rotteler 
and Beth [19j, Hallgren, Russell and Ta-Shma [5], Grigni, Schulman, Vazirani and Vazirani ^ and Moore, 
Rockmore, Russell and Schulman [T7]. For the Heisenberg group. Bacon, Childs and van Dam [T] used the 
pretty good measurement to reduce the HSP to some matrix sum problem that they could solve classically. 
Ivanyos, Magniez and Santha [11] and Friedl, Ivanyos, Magniez, Santha and Sen |5j have efficiently reduced 
the HSP in some non-abelian groups to HSP instances in abelian groups using classical and quantum group 
theoretical tools, but not the non-abelian Fourier transform. This latter approach was used recently by 
Ivanyos, Sanselme and Santha 12J for extraspecial groups. 

In this work we extend the class of groups where the HSP is efficiently solvable by a quantum algorithm 
to nilpotent groups of nilpotency class at most 2 (shortly nil-2 groups). These are groups whose lower (and 
upper) central series are of length at most 2. Equivalently, a group is nil-2 group if the derived group is a 
subgroup of the center. Nilpotent groups form a rich subclass of solvable groups, they contain for example 
all (finite) p-groups. Extraspecial groups are, in particular, in nil-2 groups. Our main result is: 

Theorem 1. Let G he a nil-2 group, and let us given an oracle f which hides the subgroup H of G. Then 
there is an efficient guantum procedure which finds H . 

The overall structure of the algorithm presented here is closely related to the algorithm in [12] for 
extraspecial groups, but has also several additional features. The quantum part of the algorithm is restricted 
to specific nil-2 groups, which are also p- groups and are of exponent p. It consists essentially in the creation 
of a quantum hiding procedure (a natural quantum generalization of a hiding function) for the subgroup HG' 
of G. The procedure uses certain automorphisms of the groups to define some appropriate group actions, 
and is analogous to what have been done in [12j for extraspecial p-groups of exponent p. 

While dealing with extraspecial p-groups of exponent p basically solves the HSP for all extraspecial groups 
(the case of remaining groups, of exponent p^, easily reduces to groups of exponent p), this is far from being 
true for nil-2 groups. Indeed, one of the main new features of the current algorithm is a classical reduction of 
the HSP in nil-2 groups to the HSP in nil-2 p-groups of exponent p, where moreover the hidden subgroup is 
either trivial or of cardinality p. In fact, our result is much more general: we prove an analogous reduction in 
nil-fc groups for any constant k. We believe that this general reduction might be useful for designing efficient 
quantum algorithms for the HSP in groups of higher nilpotency class. 

Our second main novel feature concerns the quantum hiding procedure. While in extraspecial groups it 
was reduced to the efficient solvability of a single quadratic and a single linear equation modulo p, here we 
look for a nontrivial solution of a homogeneous system of d quadratic and d linear equations, where d can be 
any integer. The reason for this is that while in extraspecial groups the derived subgroup is one dimensional, 
in nil-2 groups we have no a priori bound on its dimension. If the number of variables is superior to the 
global degree of the system then the solvability itself is an immediate consequence of the Chevalley- Warning 
theorem [31 [H]. In fact, we are in presence of a typical example of Papdimitriou's complexity class of total 
functions [16': the number of solutions is divisible by p and therefore there is always a nontrivial one. Our 
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result is that if the number of variables is sufficiently large, more precisely is of 0{(P), then we can also find 
a nontrivial solution in polynomial time. 

The structure of the paper is the following. In Section[2]we shortly describe the extension of the standard 
algorithm for quantum hiding procedures, and then we discuss some basic properties of nilpotent groups, 
in particular nil-2 p-groups of exponent p. Section [3] contains the description of the classical reduction of 
the HSP in groups of constant nilpotency class to instances where the group is also p-group of exponent 
p, and the subgroup is either trivial or cyclic of order p (Theorem [2|) . Section |4] gives the description of 
the quantum algorithm in nil-2 p-groups of exponent p: Theorem [3] briefly describes the reduction to the 
design of an efficient hiding procedure for HG', and Theorem 0] proves the existence of such a procedure. 
Finally Section [5] gives the proof of Theorem O the efficient solvability of the system of quadratic and linear 
equations. The proof of Theorem [1] follows from Corollary [T] and Theorems [3] and [H 

2 Preliminaries 

2.1 Extension of the standard algorithm for the abelian HSP 

We will use standard notions of quantum computing for which one can consult for example [15] . For a finite 
set X, we denote by \X) the uniform superposition —^='^^ j^\x) over X. For a superposition \'^), we 

denote by suppd^*)) the support of j^*), that is the set of basis elements with non-zero amplitude. 

The standard algorithm for the abelian HSP repeats polynomially many times the Fourier sampling 
involving the same hiding function, to obtain in each iteration a random element from the subgroup orthog- 
onal to the hidden subgroup. In fact, for the repeated Fourier samplings, the existence of a common hiding 
function can be relaxed in several ways. Firstly, in different iterations different hiding functions can be used, 
and secondly, classical hiding functions can be replaced by quantum hiding functions. This was formalized 
in [12], and we recall here the precise definition. 

A set of vectors : g E G} from some Hilbert space 7i is a hiding set for the subgroup of G if 

• I'^g) is a unit vector for every g E G, 

• if g and g' are in the same left coset of H then \'$g) = 

• if g and g' are in different left cosets of H then \'^g) and are orthogonal. 

A quantum procedure is hiding the subgroup _ff of G if for every gi, . . . ,gN G G, on input \gi) . . . \gN)\0) it 
outputs \gi) . . . |gjv)|^'gi) • ■ ■ where {l^-*) : g G G} is a hiding set for H for alll<i< N. 

The following fact whose proof is immediate from Lemma 1 in [llj recasts the existence of the standard 
algorithm for the abelian HSP in the context of hiding sets. 

Fact 1. Let G be a finite abelian group. If there exists an efficient quantum procedure which hides the 
subgroup H of G then there is an efficient quantum algorithm for finding H . 

2.2 Nilpotent groups 

Let G be a finite group. For two elements 171 and 52 of G, we usually denote their product by gig2- If we 
conceive group multiplication from the right as a group action of G on itself, we will use the notation 171 • g2 
for (7152 • We write H < G when H is a subgroup of G, and H < G when it is a proper subgroup. Normal 
subgroups and proper normal subgroups will be denoted respectively by < G and H <\G. For a subset X 
of G, let {X) be the subgroup generated by X . The normalizer of A" in G is Ng{X) = {g G G : gX = Xg}. 
For an integer n, we denote by Z„ the group of integers modulo n, and for a prime number p, we denote by 
Z* the multiplicative group of integers relatively prime with p. 

The commutator [x^y] of elements x and y is x~^y~^xy. For two subgroups X and Y of G, let [A, 
be {{[x,y] : x & X,y £ Y}). The derived subgroup G' of G is defined as [G, G], and its center Z{G) 
as {z S G : gz — zg for all g G G}. The lower central series of G is the series of subgroups G = 
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Ai [> A2 . . . , where Ai-^-i = [Ai, G] for every i > 1. The upper central series of G is the series of 

subgroups {1} = Zq < Zi < Z2 ■ ■ ■ , where Z^+i = {x G G : [x,g] £ Zi for all g € G} for every i > 0. Clearly 
A2 = G" and Zi — Z(G). The group G is nilpotent if there is a natural number n such that An+i — {1}. If 
n is the smallest integer such that = {1} then G is nilpotent of class n. It is a well known fact that 

G is nilpotent of class n if and only if Z„ = G in the upper central series. Nilpotent groups of class 1 are 
simply the nontrivial abelian groups. A nilpotent group of class at most n is called a nil-n group. 

A detailed treatment of nilpotent groups can be found for example in Hall [7]. Let us just recall here that 
nilpotent groups are solvable, and that every p-group is nilpotent, where a p-group is a finite group whose 
order is a power of some prime number p. 



2.3 Nil-2 p-groups of exponent p 

It is clear from the definition of nilpotent groups that G is a nil-2 group if G' < Z{G). It is easy to see that 
this property implies that the commutator is a bilinear function in the following sense. 

Fact 2. Let G be a nil-2 group. Then for every 51,52,^3, <74 in G, 

[.91.92,5354] = [51, 52] [51, 53] [52, 53] [52,54] • 

The quantum part of our algorithm will deal only with special nilpotent groups of class 2, which are also 
p-groups and are of exponent p. The structure of these special groups is well known, and is expressed in the 
following simple fact. 

Fact 3. Let G be a p- group of exponent p and of nilpotency class 2. Then there exist positive integers m 
and d, group elements xi, . . . , Xm S G and zi, . . . , Zd € G' such that 

1. G/G' ^ Z™ and G' ^ Z'^, 

2. for every 5 G G there exists a unique (ei, . . . , /i, . . . fd) G such that 

y — Xi ... 4i . . . , 

3. G = {xi,. . . , Xrn) and G' = (zi, . . . , Zd). 

We will say that a nil-2 p-group G of exponent p has parameters (m, 0?) if G/G' = Z™ and G' = Z^. In 
those groups we will indentify G' and Z^. Thus, for two elements z and z' of G', the product zz' is just 
z (B z' where © denotes the coordinate- wise addition modulo p. If G is a such a group then |G| ~ p^^+d^ 
The elements of G can be encoded by binary strings of length 0((m + d) logp), and an efficient algorithm 
on input G has to be polynomial in m, d and logp. 

For J = 1, ... ,p — 1, we consider on generators the maps Xi to x\. It turns out that these maps extend 
to automorphisms (pj of G. We also define the map by letting 00(5) = 1, for every g E G. 

Proposition 1. Let G be a p-group of exponent p and of nilpotency class 2. Then the mappings have the 
following properties: 

L Vj e Zp,Vz e G', c/jjiz) = z^\ 

2. V5 e G,3zg e G',Vj e Z^, ^^(g) = g^z^-^". 

Proof. The first statement is trivial when j — 0. Otherwise, observe that for every j e Z*, and for every 
g E G, there exists z G G' such that (pjig) — g-' z since G/G' is abelian. To prove the first statement, 
let z — [51,52]. Then by this remark, there exist zi and Z2 in G' such that (/)j([5i, 52]) = [g^zi, 32-22] • By 
repeated applications of Fact[2]this is easily seen to be ([51,52])-' • 

We now turn to the second statement. Let jo be a fixed primitive element of Z*. Then 4>io{9) = 5""''5, for 

some s e G'. Set Zg = sO«-Jo)"\ we have (jy^^ig) = g3ozl°'^°. Let k = gzg, then = g^^° zi°~^" zf = F". 

Therefore, for all j e Zp, we have 4>j{k) = y and 4>j{g) — (f)j{k)<pj{z~^) — g^ z^^z^^ . 

□ 
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Clearly, for every g E G, the element Zg whose existence is stated in the second part of Proposition [T] is 
unique. From now on, let Zg denote this unique element. 

3 Classical reductions in groups of constant nilpotency class 

In order to present the reduction methods in a sufRciently general way, in this section we assume that our 
groups are presented in terms of so-called refined poly cyclic presentations [9\. Such a presentation of a finite 
solvable group G is based on a sequence G = Gi [> . . . O Gs+i = {1}, where for each 1 < i < s the subgroup 
Gi+i is a normal subgroup of Gi and the factor group Gi/Gi+i is cyclic of prime order r^. For each i < s an 
element gi € Gi\ G^+i is chosen. Then g^' e Gi+i. Every element g oi G can be uniquely represented as a 
product of the form g'^^ ■ ■ ■ called the normal word for g, where < < r^. 

In the abstract presentation the generators are gi, . . . ,gs, and for each index 1 < i < s, the following 
relations are included: 

• gl' = Ui, where Ui = g'^^l'*'^ ■ ■ ■ gs^'^ is the normal word for g^^ G Gi+i, 

• 9l^9j9i — ^ij fo^' every j > i, where Wij = ffl'+i'^^ • • ■ gs^'^'" is the normal word for g'^gjgi S Gi+i. 

Using a quantum implementation [11] of an algorithm of Beals and Babai [2] , refined polycyclic presentation 
for a solvable black box group can be computed in polynomial time. We assume that elements of G are 
encoded by normal words and there is a polynomial time algorithm in log|G|, the so called collection 
procedure, which computes normal words representing products. This is the case for nilpotent groups of 
constant class [TD]. If there is an efficient collection procedure then refined polycyclic presentations for 
subgroups and factor groups can be obtained in polynomial time [H]- Also, the major notable subgroups 
including Sylow subgroups, the center and the commutator can be computed efficiently. Furthermore, in 
p-groups with refined polycyclic presentation, normalizers of subgroups can be computed in polynomial time 
using the technique of [4], combined with the subspace stabilizer algorithm of [14j . 

Our first theorem is a classical reduction for the HSP in groups of constant nilpotency class. The proof 
is given by the subsequent three lemmas. 

Theorem 2. Let C be a class of groups of constant nilpotency class that is closed under taking subgroups 
and factor groups. Then the hidden subgroup problem in members of C can be reduced to the case where the 
group is a p-group of exponent p, and the the subgroup is either trivial or of cardinality p. 

Corollary 1. The hidden subgroup problem in nil-2 groups can be reduced to the case where the group is a 
p-group of exponent p, and the the subgroup is either trivial or of cardinality p. 

Lemma 1. Let C be a class of groups of constant nilpotency class that is closed under taking subgroups and 
factor groups. Then the HSP in C can be reduced to the HSP of p- groups belonging to C. 

Proof. As a nilpotent group G is the direct product of its Sylow subgroups, any subgroup of G is the 
product of its intersections with the Sylow subgroups of G. □ 

Lemma 2. Let C be a class of p-groups of constant nilpotency class that is closed under taking subgroups 
and factor groups. Then the hidden subgroup problem in members of C can be reduced to the case where the 
subgroup is either trivial or of cardinality p. 

Proof. Assume that we have a procedure V which finds hidden subgroups in C under the promise that the 
hidden subgroup is trivial or is of order p. Let G be a group in C and let / be a function on G hiding the 
subgroup H of G. We describe an iterative procedure which uses 7^ as a subroutine and finds H in G. The 
basic idea is to compute a refined polycyclic sequence G = Gi > . . . > G^ O 1 for G and to proceed calling V 
on the subgroups in the sequence starting with G^. When V finds for the first time a nontrivial subgroup 
generated by ft., then we would like to restart the process in G/{h), and at the end, collect all the generators. 
Since (h) is not necessarily a normal subgroup of G we will actually restart the process instead in NG{{h)). 
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More formally, let^ us suppose that / hides H in G, and let^i? be some subgroup of H. Then / hides 
NaiH) n H in Ng{H), and therefore it hides (NciH) n H)/H in Ng{H)/H. We consider the following 
algorithm: 



Algorithm 1 

success:= TRUE, H = {1}. 
while success=TRUE do 
if G 7^ if then _ 

compute Ng(H)/H = Gi O . . . t> Gs l> 1 a refined polycyclic representation, i := s 
while i > do 
call V on Gi 
if V returns (h) then 

H := {HU{h}),i = 
else 

i := i — 1 

if z = then 

success := FALSE 
end if 
end if 
end while 
else 

success:=FALSE 
end if 
end while 



Algorithm 1 stops when the subgroup H is such that {NGiH)nH) /H = {1}, that is when NG{H)r]H = H. 
We claim that this implies H = H . Indeed, suppose that _ff is a proper subgroup of H . Since in nilpotent 
groups a proper subgroup is also a proper subgroup of its normalizer, H is also a proper subgroup of 
NH{H) = NG{H)C^H. 

Finally observe that the whole process makes 0(logp |G|) calls to V. 

□ 

Lemma 3. Let C he a class of p-groups of constant nilpotency class that is closed under taking subgroups 
and factor groups. Then the instances of the hidden subgroup problem in members of C , when the subgroup 
is either trivial or of cardinality p, can be reduced to groups in C of exponent p. 

Proof. If p is not larger than the class of G, the algorithm of |5j is applicable. Otherwise the elements of 
order p or 1 form a subgroup G*, see Chapter 12 of [7]. The hidden subgroup H is also a subgroup of 
G* since \H\ < p. The function hiding H in G also hides it in G*, therefore the reduction will consist in 
determining G*. 

We design an algorithm that finds G* by induction on the length of refined polycyclic presentations. If 
|G| — p then G* — G. Otherwise, let G = Gi l> G2 l> . . . I> G^ l> {1} be a refined polycyclic presentation with 
s > 2. It is easy to construct a presentation where Gs is a subgroup of the center of G, which we suppose 
from now on. For the ease of notation we set M = G2 and N — Gs. 

We first describe the inductive step in a simplified case, with the additional hypothesis (G/N)* = G/N. 
Observe that the hypothesis is equivalent to saying that the map <f> : x ^ sends every element of G into 
N . From this it is also clear that the hypothesis carries over to Af , that is [M/N)* — M/N . We further 
claim that either G* = G or G* is a subgroup of G of index p. In fact this follows Theorem 12.4.4 of "7] 
which states that the map (j) is constant on cosets of G* and distinct on different cosets. ^From a polycyclic 
presentation of G it can be read off whether or not G = G* . If G* = G we are done. Otherwise we compute 
inductively M* . If M* = M then G* = M. If M* is a proper subgroup of M then M* has index p^ in G. 
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Pick an arbitrary u € M \ M* and y E G \ M. By the assumptions, ~ gl^ for some integer < j„ < p, 
and ~ gi^ for some integer < < p. Recall that in the polycyclic presentation model, computing 
normal words for and y^ - using fast exponentiation - amounts to computing ju and jy. Set x = . 
For this x we have = y^, and therefore xy~^^ £ G* . Since xy^^ G G* \ M*, we have G* = {M*,xy^^). 

In the general case first (G/N)* is computed inductively. If {G/N)* = G/N then one proceeds as in the 
simplified case. Otherwise we set K — {G/N)*N . We claim that G* — K* . For this we will show that. 
G* C K. To see this, let x be an element of G* . Then x — yz where y G G/N and z G N. We show that 
y is in (G/N)* which implies that x G K. Indeed, = y^z^ = {yz)P = 1, where the first equality follows 
from |A^| = p, the second from TV < Z{G) and the third from x € G*. Finally observe that (K/N)* = K/N 
since K/N — (G/N)*. Therefore one can determine K* inductively as in the simplified case. 

Let c(s) denote the number of recursive calls when the length of a presentation is s. In the simplified 
case the number of calls is s — 1. Therefore in the general case we have c(s) — c(s — 1) + s — 2, whose solution 
is c(s) = 0(s2). 

□ 



4 The quantum algorithm 

The quantum part of our algorithm, up to technicalities, follows the same lines as the algorithm given in [12] 
for extraspecial groups. The proof in these section are included here for the sake of completeness. 

Theorem 3. Let G be a nil-2 p-group of exponent p, and let us given an oracle f which hides a subgroup 
H of G whose cardinality is either 1 or p. If we have an efficient quantum procedure (using f) which hides 
HG' in G then H can be found efficiently. 

Proof. First observe that finding H is efficiently reducible to finding HG'. Indeed, HG' is an abelian 
subgroup of G since H is abelian. The restriction of the hiding function / to HG' of G hides H. Therefore 
the standard algorithm for solving the HSP in abelian groups applied to HG' with oracle / yields H. 

Let us now suppose that G has parameters (m, d). We will show that finding HG' can be efficiently reduced 
to the hidden subgroup problem in an abelian group. Let us denote for every element g = x^^ . . . x'f^ z(^ . . . z^'' 
of G, by g the element x^^ . . . x'f^ . We define the group G whose base set is {g : g G G}. Observe that this 
set of elements does not form a subgroup in G. To make G a group, its law is defined by * 52 = glgi 
for all 51 and ^ in G. It is easy to check that * is well defined, and is indeed a group multiplication. In 
fact, the group G is isomorphic to G/G' and therefore is isomorphic to Z™. For our purposes a nice way to 
think about G as a representation of G/G' with unique encoding. Observe also that HG' n G is a subgroup 
of (G,*) because HG' /G' is a subgroup of G/G'. Since HG' ^ {HG' nG)G', finding HG' is efficiently 
reducible to finding HG' n G in G. 

To finish the proof, let us remark that the procedure which hides HG' in G hides also HG' n G in G. 
Since G is abelian. Fact [1] implies that we can find efficiently HG' n G. □ 

Theorem 4. Let G be a nil-2 p-group of exponent p, and let us given an oracle f which hides a subgroup H 
of G. Then there is an efficient quantum procedure which hides HG' in G. 

Proof. The basic idea of the quantum procedure is the following. Suppose that we could create, for some 
a G G, the coset state \aHG'). Then the group action g — > \aHG' • g) is a hiding procedure. Unfortunately, 
\aHG') can only be created efficiently whenp and d are constant. In general, we can create efficiently \aHG'^) 
for random a € G and m g G', where by definition \G'J = -^J^zez" ^^^"'""^l^)- Then \aHG'^ ■ h) = 

"V I I ^ 

\aHG'^ for every h G H, and |G^ • z) = w^"'^^|G'J. To cancel the disturbing phase we will use more 
sophisticated group action via the group automorphisms 0^ on several copies of the states \aHG'^). 

Lemma 4. There is an efficient quantum procedure which creates — ^ 12uez,''\^)\^^^'u) where a is a random 
element from G. 
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Proof. We start with |0) |0) |0). Since we have access to the hiding function /, we can create the superposition 
' SoFGl^)lff)l/(ff))- Observing and discharging the third register we get \0)\aH) for a random element a. 

\G\ ^ 



Applying the Fourier transform over to the first register gives \'Zp)\aH). Multiplying the second register 
by the opposite of the first one results in — i= y2^r,d\—z)\aHz). A final Fourier transform in the first register 

creates the required superposition. □ 

Our next lemma which is an immediate consequence of Proposition [1] claims that the states laHG'J) 
are eigenvectors of the group action of multiplication from the right by 4ij{g), whenever g is from HG'. 
Moreover, the corresponding eigenvalues are some powers of the root of the unity, the exponent does not 
depend on a, and the dependence on u and j is relatively simple. 

Lemma 5. We have 

1. Vz e Z^,Va e G,Vw e Z^,Vj e Zp, \aHG'^ ■ (f>j{z)) = tj<«^^>J>i/G"J, 

2. yh e iJ,Va e G,Vii e Z^,yj e 1p, \aHG'^ ■ <t>j{h)) = w<"'^'^>(J-j')|ai?G;). 

The principal idea now is to take several copies of the states \aiHG'^.) and choose the ji so that the 
product of the corresponding eigenvalues becomes the unity. Therefore the combined actions (f>ji{g), when 
g is from HG' , will not modify the combined state, ft turns out that we can achieve this with a sufficiently 
big enough number of copies. Let n = n{d) some function of d to be determined later. 

For a = (ai,...,a„) G G", w = (mi,...,m„) G (Z^)", J= (ji,...,Jn) G (Zp)" \ {0"} and g G G, we 
define the quantum state in C*^" by 

n 

\^>Y~')=^KHG'^,-M9))- 

Our purpose is to find an efficient procedure to generate triples {a,u,j) such that for every g in HG', 
^^a,u,j^ _ {g)"^^|ai7JG'j.). We call such triples appropriate. The reason to look for appropriate triples is 
that they lead to hiding sets for HG' in G as stated in the next lemma. 

Lemma 6. If {a,u,j) is an appropriate triple then {j^I'g'"'-') : g G G} is hiding for HG' in G. 

Proof. To see this, first observe that HG' is a normal subgroup of G. If gi and 52 are in different cosets of 
HG' in G then let 1 < i < n such that ji 7^ 0. The elements <t>ji{gi) and <t>ji{g2) are in different cosets of 
HG' in G since (t)j. is an automorphism of G. Also, we have supp(|ai/G^)) = supp(|ai7G')), and therefore 
supp(|aiJG^ • (f)j^ {gi))) and supp(|ai/G^ • t/jj^ (92))) are included in different cosets and are disjoint. Thus the 
states and are orthogonal. 

If gi and g2 are in the same coset oiHG' then_5i — gg2 for some g G HG' , and for all 1 < i < n, we 
have 0,, (gi) = 0,, (.g)0,, (32). Thus jvp^f J) = {^f^'^) = jM-ff J). □ 

Let us now address the question of existence of appropriate triples and efficient ways to generate them. 
Let {a,u,j) be an arbitrary element of G" x (Zp)" x (Zp)" \ {0"}, and let g be an element of HG'. Then 
g = hz for some h £ H and z G Zp, and 4>ji{g) — (f>j^{h)(j)j.{z) for i = 1, . . . ,n. By Lemma [SJ we have 
loiHG'^^ ■ (jjj.iz)) ^ LU<''^^^>^^aiHG'^^), and \a,HG'^^ ■ (j)j,{h)) = cj<"-^''>(J'-J'.') la^ifG^^), and therefore 

n 

|^a,«J<, ^ ^Er=i<"-^'.>0-.-j')+<«-^>j' (^\a,HG',J. 

i=l 

For a given u, we consider the following system of quadratic equations, written in vectorial form: 
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It should be clear that when this system has a nontrivial solution j (that is j ^ 0"^) then {a,u,j) is an 
appropriate triple, for every a. In fact, the Chevalley- Warning theorem [3l [22] implies that the following 
equivalent system of vectorial equations has a nontrivial solution for every u, whenever n > 3d. 

Moreover, if we take a substantially larger number of variables, we can find a solution in polynomial time. 

Theorem 5. Ifn ~ (d+ l)'^{d+ 2)/2 then we can find a nontrivial solution for the system {IJ) in polynomial 
time. 

The proof of Theorem [5] will be given in the next section. To finish the proof of Theorem 2] we describe 
the efficient hiding procedure. On input \g), it computes, for some a G G", the superposition 

1 " 

^ i=l UiGZp 

which by Lemma|3]can be done efficiently, and then it measures the registers for the Ui. Then, by Theorem[5] 
it finds efficiently a nontrivial solution j for system ([ij. Such a triple (a,u,j) is appropriate, and therefore 
by Lemma[6] {l^'g^"'^) : g E G} is hiding for HG' in G. Using the additional input \g), the procedure finally 
computes l^-^-^J). □ 



5 Solving the system of equations 

This section is fully dedicated to the proof of Theorem [S] If p = 2 then the d quadratic and the d linear 
equations coincide, and the (linear) system can easily be solved in polynomial time. Therefore, from now 
on, we suppose that p > 2. Let us detail system ((TJ, where we set Ui — {uij,U2,i, . . . jU^^i). We have the 
following system of d homogenous quadratic and d homogenous linear one equations with n variables: 

We start by considering only the quadratic part of the that is 

{v^e[|l,d|], Y:i,ue,^jf = (3) 

for some integer n'. 

Claim 1. If n' = {d + l){d + 2)/2 then we can find a nontrivial solution for (0) in polynomial time. 
Proof. For the ease of notation we are going to represent this system by the d x n' matrix 

/ui4 ... ui^. 



M = 



\Ud.l ■ ■ ■ Ud.i 



We will present a recursive algorithm whose complexity will be polynomial in d and in log p. When d = 1, 
the unique quadratic equation is of the form ui^ijf + ^1,2^2 + '^i.sjI = 0- According to a special case of 
the main result in the thesis of van de Woestijne (Theorem A3 of [13]), a nontrivial solution for this can be 
found in polynomial time in log p. 

Let us suppose now that we have d equations in ?i' = (rf+ l)(rf + 2)/2 variables. We can make elementary 
operations on M (adding two lines and multiplying a line with a nonzero constant) without changing the 
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solutions of the system. Our purpose is to reduce it with such operations to d — 1 equations in at least 
d{d + l)/2 variables. If the system is of rank less than d, then we can erase an equation and get an 
equivalent system with only d — 1 equations in the same number of variables. Otherwise, we perform 
Gaussian elimination resulting in the matrix 



Ml 



/l 







'■l.d+1 
2,d+l 



,(1) 



U 



Since checking quadratic residuosity is simple, and for odd p, half of the elements of Z* are squares, 
we can easily compute a quadratic non-residue A in probabilistic polynomial time. Then every quadratic 
non-residue is the product of a square and A. We will look at column + 1 of Mi. If the column is 
everywhere then jd+i = 1 and ji = for j 7^ d -I- 1 is a nontrivial solution of the whole system. Otherwise, 
without loss of generality, we can suppose that for some (fci,fc2) 7^ (0,0) the first fci elements are squares, 
the following /c2 elements are the product of A and a square, and the last d — ki — k2 elements are zero. 
Thus there exist fi, . . . ,Vki+k2 different from 0, such that M^^j+i = vf for 1 < i < hi, and w^j^i = Af^ 
for ki + 1 < i < ki + k2- Once we have a quadratic non-residue, the square roots wi, . . . ,Vki+k2 can be 
found in deterministic polynomial time in logp by the Shanks- Tonelli algorithm [2^. We set the variables 
jki+k2+ij ■ ■ ■ ijd to 0, and eliminate columns ki + k2 + I, . . . , d from Mi. Then for i = I, . . . , ki + ^2, we 
divide the line i by vf. Introducing the new variables j'^ — jiV~^ for 1 < i < ki + k2, the matrix of the 
system in the n' - d + ki + k2 variables j'l, . . . , fk^+k2 ' jd+i, ■ ■ ■ jn' is 



/ 1 

'■. 



Mo 



1 

: 1 
A 






V 



l-d+2 



(2) 
"fci,d-(-2 

(2) 

^fci + l,(i+2 



(2) 

^fci-|-fc2 + l,d+2 



,(2) 



U 



,(2) 



^ki,n' 
(2) 

fci + l,n' 



(2) 

^fci+fc2 + l,n' 



,(2) 



"'d,d+2 

In M2 we subtract the first line from lines 2, . . . ,k and line fci + 1 from lines ki + 2, . . . ,ki + k2. Then 
we set the variables J2, ■ • ■ to j'l, and variables _|_2: ■ • • 7 Jfe +k ^i- The corresponding changes 

in the matrix are eliminating columns 2, . . . fci and fci + 2, . . . fci -f fc2 and putting in columns 1 and fci -I- 1 
everywhere but respectively in line 1 and line fci + 1. Finally, by exchanging line 2 and line fci + 1, we get 
the matrix 



M. = 



in variables j^, j^^+i, jd-n, ■ 



(l 





1 





1 


A 












l,d+2 
-'2,d+2 
^3,d+2 



VO ^d.ll+2 



"l.n' 

(3) 

2. n 

(3) 

3, n 



U. 



U 



,(3) 
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To finish the reduction, we will distinguish two cases, depending on the congruency class of p modulo 4. 
When p = 1, the element —1 is a square, and in polynomial time in logp we can find s such that = — 1. 
We set ji = sjd+i, eliminate column 1 from matrix M^, put in line 1 column d+1, and exchange line 1 
and line 2. When p = 3 modulo 4, the element —1 is not a square, and therefore we can choose A = —1. We 
set j2 = jd+i, eliminate column 2, and put in line 2 column d + 1. 

In both cases we end up with a matrix of the form 



Ma = 



u'-^^ M^^^ 



\0 ... uflJ 



in the variables j',jd+i, ■ ■ ■ ,jn' where a — X and j' — Jfej_|_i when p = 1, and a = I and j' — otherwise. 
Without the first line it represents a system of d — 1 equations inn' — (d+l) = d{d+l)/2 variables for which 

we can find a nontrivial solution by induction. Let jd+2, ■ ■ ■ ,jn' such a solution, and set h = X!fc=d+2 
To give values to the remaining two variables we have to solve the equation j'^ + aj^+i + h — 0. It is 
easy to see that the equation is always solvable, and then by Theorem A3 of [53] a solution can be found 
deterministically in polynomial time. 

Gaussian elimination on M can be done in time 0((i'*). Finding a nontrivial solution for a quadratic 
homogeneous equation in 3 variables takes time qi(logp), solving a quadratic equation in two variables takes 
time 52 (log p), and finding a square roots modulo p takes time 53 (log p) where gi, 92 and 93 are polynomials. 
Therefore the complexity of solving system ([1]) is 0{d^ + d^q'^iXogp) + dg2(logp) + gi(logp)). 

□ 

We now turn to the system ([2|). Let n' — n/{d + 1), and for < /c < d, consider the the system of d 
quadratic equations in n' variables: 



0. 



By Claim [TJ each of these systems has a nontrivial solution that we can find in polynomial time. For each 
fc, let (jkn'+i, ■ ■ ■ , j(fc+i)n') such a solution of the kth quadratic system. Then the set 

{(Aojl, . . . , Aojn', Aij„' + 1, ■ ■ • , Aij2n', ■ • • , Xdjdn' + l, ■ • • , Xdj{d+l)n') ■ (Aq, Ai, . . . , \d) G ^p'^^} 

is a d + 1 dimensional subspace of of whose elements are solutions of the d quadratic equations in 
Since in Q there are d linear equations, we can find a a nontrivial (Aq, Ai, . . . , A^) G ^p^^ such that 
(Aoji, . . . , Aoj„', Aij„'+i, . . . , Aij2n', ■ • • , Adjdn'+i, ■ • • , Xdj(d+i)n') IS a (nontrivial) solution of the linear part 
of and therefore of the whole system. □ 
Observe that the only probabilistic part of the algorithm is the generation of a quadratic non-residue 
modulo p. 
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